Adding users or groups from a trusted forest

In most cases, when you create a profile for a user or group in a zone, the Active Directory account already exists in the local Active Directory forest. You can, however, also add profiles for remote users and groups to a zone without adding them to the local forest. If you have established a one-way or two-way trust relationship with a remote or external Active Directory forest, you can add users and groups from that forest to a selected Centrify zone.

You add remote or external users and groups to the zone in the same way you add profiles for local Active Directory users and groups except that you must select the remote forest or domain before searching for the user or group account. For example, at Step 4 of the procedure To create a group profile for an Active Directory group using Access Manager:, click Browse to select a trusted external forest or a specific domain in the trusted forest.

If you have defined a one-way or two-way trust between a local forest ( and a remote forest (, you can select the remote forest in the Browse for container dialog box to add groups from that forest ( to the currently selected zone.

If you use attribute variables to define any part of the user profile, keep in mind that the Centrify agent cannot directly read any of the attributes for a user from a one-way trusted forest. The agent can retrieve the userPrincipalName and sAMAccountName from the zone profile for the user. However, the agent cannot retrieve other user attributes. If the agent cannot resolve a variable in the user profile, the agent leaves the attribute value undefined. For example, if you use the displayName variable to define the GECOS attribute, that attribute will be undefined for all users from an external forest with a one-way trust.